<!DOCTYPE html>
<html lang="en-US">
<head>
	
<style>.async-hide { opacity: 0 !important} </style> 



    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
     
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
     
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	
	<title>HabitsRAT Used to Target Linux and Windows Servers - Intezer</title>
	<meta name="description" content="Intezer has discovered a new malware variant, in addition to the version discovered by Shadowserver and Brian Krebs. The malware is written in GO and we are naming it HabitsRAT. It is targeting both Windows and Linux environments." />
	<link rel="canonical" href="https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="Simple backdoor allows the operator to execute arbitrary code on infected machines." />
	<meta property="og:url" content="https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2021-04-20T13:41:28+00:00" />
	<meta property="article:modified_time" content="2022-03-27T13:36:01+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/BlogPostImage_1024x475_02.png" />
	<meta property="og:image:width" content="2048" />
	<meta property="og:image:height" content="950" />
	<meta property="og:image:type" content="image/png" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:title" content="HabitsRAT Used to Target Linux and Windows Servers" />
	<meta name="twitter:description" content="Simple backdoor allows the operator to execute arbitrary code on infected machines." />
	<meta name="twitter:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/BlogPostImage_1024x475_02.png" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Joakim Kennedy" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="9 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.facebook.com/IntezerLabs/","https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","@id":"https://www.intezer.com/#logo","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#logo"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#primaryimage","inLanguage":"en-US","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/BlogPostImage_1024x475_02.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/BlogPostImage_1024x475_02.png","width":2048,"height":950},{"@type":"WebPage","@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#webpage","url":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/","name":"HabitsRAT Used to Target Linux and Windows Servers - Intezer","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#primaryimage"},"datePublished":"2021-04-20T13:41:28+00:00","dateModified":"2022-03-27T13:36:01+00:00","description":"Intezer has discovered a new malware variant, in addition to the version discovered by Shadowserver and Brian Krebs. The malware is written in GO and we are naming it HabitsRAT. It is targeting both Windows and Linux environments.","breadcrumb":{"@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"HabitsRAT Used to Target Linux and Windows Servers"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#article","isPartOf":{"@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#webpage"},"author":{"@id":"https://www.intezer.com/#/schema/person/9a754c27bb88ce12f115df9ec624893d"},"headline":"HabitsRAT Used to Target Linux and Windows Servers","datePublished":"2021-04-20T13:41:28+00:00","dateModified":"2022-03-27T13:36:01+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#webpage"},"wordCount":3438,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/BlogPostImage_1024x475_02.png","keywords":["Cloud Security","code reuse","Golang","HabitsRAT","Linux threats","Malware Analysis","Microsoft Exchange Server","Threat Detection","Windows threats"],"articleSection":["Malware Analysis"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/9a754c27bb88ce12f115df9ec624893d","name":"Joakim Kennedy","image":{"@type":"ImageObject","@id":"https://www.intezer.com/#personlogo","inLanguage":"en-US","url":"https://secure.gravatar.com/avatar/3b08f77795dc58f3477c625488d96bef?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/3b08f77795dc58f3477c625488d96bef?s=96&d=mm&r=g","caption":"Joakim Kennedy"},"url":"https://www.intezer.com/author/jkennedy/"}]}</script>
	


<link rel='dns-prefetch' href='//static.addtoany.com' />
<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/5.9.2/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='prismatic-blocks-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/css/styles-blocks.css?ver=23effe8e6ba9824e0c6debbf4d3ef488' media='all' />
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/5.9.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/5.9.2/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.6' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=23effe8e6ba9824e0c6debbf4d3ef488' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=23effe8e6ba9824e0c6debbf4d3ef488' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1648576575' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.9.5' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.16' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.1.2' media='all' />
<link   rel='preload' as='style' data-wpacu-preload-it-async='1' onload="this.onload=null;this.rel='stylesheet'" id='wpacu-preload-jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.8-a.9.2' media='all' />




<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/18164" />			
			
			
						
				<meta name="jetpack-boost-ready" content="false" />
		<style type='text/css'>img#wpstats{display:none}</style>
					<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
							<style type="text/css">
				/* If html does not have either class, do not show lazy loaded images. */
				html:not( .jetpack-lazy-images-js-enabled ):not( .js ) .jetpack-lazy-image {
					display: none;
				}
			</style>
			
		                <style>
                    
					@font-face {
						font-family: 'aslsicons2';
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot');
						src: url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.eot?#iefix') format('embedded-opentype'),
							 url('https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff2') format('woff2'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.woff') format('woff'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.ttf') format('truetype'),
							 url('https://www.intezer.com/wp-content/plugins/ajax-search-lite/css/fonts/icons2.svg#icons') format('svg');
						font-weight: normal;
						font-style: normal;
					 font-display:swap;}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					div[id*='ajaxsearchlite'].wpdreams_asl_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                			
            <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=79c8f516d6" />



</head>

<body class="post-template-default single single-post postid-18164 single-format-standard wp-custom-logo habitsrat-used-to-target-linux-and-windows-servers elementor-default elementor-kit-8921">
<script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>
<script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
<script   type='text/javascript' id='addtoany-core-js-before'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
</script>
<script   type='text/javascript' async src='https://static.addtoany.com/menu/page.js' id='addtoany-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=23effe8e6ba9824e0c6debbf4d3ef488' id='jquery-js'></script>
<script   data-wpacu-apply-media-query='screen and (min-width: 1024px)' type='text/javascript' async wpacu-addtoany-jquery-src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<script>
function wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var) {
    if (wpacu_addtoany_jquery_match_media_var.matches) {
        var wpacuSrcAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
        document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('src', wpacuSrcAttr); 
    }
}
try { var wpacu_addtoany_jquery_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var); wpacu_addtoany_jquery_match_media_var.addListener(wpacu_addtoany_jquery_match_media); }
catch (wpacuError) {
  	var wpacuHrefAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
    document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentType", "blog-post"]);
			</script>
<script>
				(function() {
					var hbspt = window.hbspt = window.hbspt || {};
					hbspt.forms = hbspt.forms || {};
					hbspt._wpFormsQueue = [];
					hbspt.enqueueForm = function(formDef) {
						if (hbspt.forms && hbspt.forms.create) {
							hbspt.forms.create(formDef);
						} else {
							hbspt._wpFormsQueue.push(formDef);
						}
					};
					if (!window.hbspt.forms.create) {
						Object.defineProperty(window.hbspt.forms, 'create', {
							configurable: true,
							get: function() {
								return hbspt._wpCreateForm;
							},
							set: function(value) {
								hbspt._wpCreateForm = value;
								while (hbspt._wpFormsQueue.length) {
									var formDef = hbspt._wpFormsQueue.shift();
									if (!document.currentScript) {
										var formScriptId = 'leadin-forms-v2-js';
										hubspot.utils.currentScript = document.getElementById(formScriptId);
									}
									hbspt._wpCreateForm.call(hbspt.forms, formDef);
								}
							},
						});
					}
				})();
			</script>
<script>
				document.documentElement.classList.add(
					'jetpack-lazy-images-js-enabled'
				);
			</script>
<script type="text/javascript">
                if ( typeof _ASL !== "undefined" && _ASL !== null && typeof _ASL.initialize !== "undefined" ) {
					_ASL.initialize();
				}
            </script>
<script id="wpacu-preload-async-css-fallback">
/*! LoadCSS. [c]2020 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/
(function(w){"use strict";var wpacuLoadCSS=function(href,before,media,attributes){var doc=w.document;var ss=doc.createElement('link');var ref;if(before){ref=before}else{var refs=(doc.body||doc.getElementsByTagName('head')[0]).childNodes;ref=refs[refs.length-1]}
var sheets=doc.styleSheets;if(attributes){for(var attributeName in attributes){if(attributes.hasOwnProperty(attributeName)){ss.setAttribute(attributeName,attributes[attributeName])}}}
ss.rel="stylesheet";ss.href=href;ss.media="only x";function ready(cb){if(doc.body){return cb()}
setTimeout(function(){ready(cb)})}
ready(function(){ref.parentNode.insertBefore(ss,(before?ref:ref.nextSibling))});var onwpaculoadcssdefined=function(cb){var resolvedHref=ss.href;var i=sheets.length;while(i--){if(sheets[i].href===resolvedHref){return cb()}}
setTimeout(function(){onwpaculoadcssdefined(cb)})};function loadCB(){if(ss.addEventListener){ss.removeEventListener("load",loadCB)}
ss.media=media||"all"}
if(ss.addEventListener){ss.addEventListener("load",loadCB)}
ss.onwpaculoadcssdefined=onwpaculoadcssdefined;onwpaculoadcssdefined(loadCB);return ss};if(typeof exports!=="undefined"){exports.wpacuLoadCSS=wpacuLoadCSS}else{w.wpacuLoadCSS=wpacuLoadCSS}}(typeof global!=="undefined"?global:this))
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-725468766"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'AW-725468766');
</script>


<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

    <div class="background-pop"></div>
    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" width="100" height="25" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Product</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-24859" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-24859 nav-item"><a class="nav-link" href="https://www.intezer.com/pricing/">Pricing</a></li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Try it Now"></span>&nbsp;Sign up</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Try our free Community Edition"></span>&nbsp;Sign up</a></li>
</ul>                  
                </div>

        </nav>
 		<section data-elementor-type="section" data-elementor-id="16929" class="elementor elementor-16929">
					<div class="elementor-section-wrap">
								<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-hidden-tablet elementor-hidden-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="analyze-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.1 - 23-03-2022 */
.elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=".svg"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block}</style>					<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-analyze/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/logo-analize-logo-trans-ozsmvqchu4xq3efimwjdhr1x8rgjihbqxejnle9j9u.png" title="logo-analize-logo-trans" alt="Intezer Analyze" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.1 - 23-03-2022 */
.elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading-title[class*=elementor-size-]>a{color:inherit;font-size:inherit;line-height:inherit}.elementor-widget-heading .elementor-heading-title.elementor-size-small{font-size:15px}.elementor-widget-heading .elementor-heading-title.elementor-size-medium{font-size:19px}.elementor-widget-heading .elementor-heading-title.elementor-size-large{font-size:29px}.elementor-widget-heading .elementor-heading-title.elementor-size-xl{font-size:39px}.elementor-widget-heading .elementor-heading-title.elementor-size-xxl{font-size:59px}</style><div class="elementor-heading-title elementor-size-default"><b>Autonomous security operations</b><br>Focus your SecOps on unique and real incidents instead of repetitive threats and false positives.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<h2 class="elementor-heading-title elementor-size-default">Top Industries</h2>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.1 - 23-03-2022 */
.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#818a91;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#818a91;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}</style>					<div class="elementor-text-editor elementor-clearfix">
				<ul><li>Finance</li><li>Manufacturing</li><li>Telecom</li><li>Government</li><li>Retail</li><li>Energy</li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-analyze/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/book-a-demo-analyze/" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-analyze">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get a Demo</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
							</div>
				</section>
		    </header>
<div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>



<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/"
  },
  "headline": "HabitsRAT Used to Target Linux and Windows Servers",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/BlogPostImage_1024x475_02-1270x475.png",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2021-04-20"
}
</script>





	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">HabitsRAT Used to Target Linux and Windows Servers</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/12/headshot-scaled-e1607466945157-60x60.jpg" class="user-photo"><div class="user-bio"><span class="author-light">Written by </span><span class="author-name"> Joakim Kennedy</span><span class="author-date"> - 20 April 2021</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/BlogPostImage_1024x475_02-1270x475.png" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f15120-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/#wpcf7-f15120-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="15120" />
<input type="hidden" name="_wpcf7_version" value="5.5.6" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f15120-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:15120,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="First Name" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Last Name" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Business Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Business Email" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="side-blog-btn"><div>Join our free community</div><a href="//analyze.intezer.com" class="btn btn-prim dodger">Get started</a></div><div class="side-blog-share"">Share article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/" data-a2a-title="HabitsRAT Used to Target Linux and Windows Servers"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhabitsrat-used-to-target-linux-and-windows-servers%2F&amp;linkname=HabitsRAT%20Used%20to%20Target%20Linux%20and%20Windows%20Servers" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhabitsrat-used-to-target-linux-and-windows-servers%2F&amp;linkname=HabitsRAT%20Used%20to%20Target%20Linux%20and%20Windows%20Servers" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhabitsrat-used-to-target-linux-and-windows-servers%2F&amp;linkname=HabitsRAT%20Used%20to%20Target%20Linux%20and%20Windows%20Servers" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhabitsrat-used-to-target-linux-and-windows-servers%2F&amp;linkname=HabitsRAT%20Used%20to%20Target%20Linux%20and%20Windows%20Servers" title="Reddit" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/reddit.png" alt="Reddit"></a><a class="a2a_button_copy_link" href="https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fmalware-analysis%2Fhabitsrat-used-to-target-linux-and-windows-servers%2F&amp;linkname=HabitsRAT%20Used%20to%20Target%20Linux%20and%20Windows%20Servers" title="Copy Link" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/link.png" alt="Copy Link"></a></div></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/">New Conversation Hijacking Campaign Delivering IcedID</a>
                    </h4>
				                    <span class="post-excerpt">This post describes the technical analysis of a new campaign detected by Intezer&#8217;s research team,...</span>	
                    <a href="https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/threat-hunting/intro-to-sigma-rules/">SOC Level Up: Introduction to Sigma Rules</a>
                    </h4>
				                    <span class="post-excerpt">Sigma rules are catching on more and more for SOC teams, as a way to...</span>	
                    <a href="https://www.intezer.com/blog/threat-hunting/intro-to-sigma-rules/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/">Scale Incident Response With Detection Engineering: Detect &#038; Hunt with Intezer</a>
                    </h4>
				                    <span class="post-excerpt">Adversaries are highly motivated, constantly expanding and improving their tools and techniques. On the other...</span>	
                    <a href="https://www.intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">
<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      onInitialized:setDots,
      onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content">We have discovered a new malware&nbsp;written in Go, which we are calling&nbsp;HabitsRAT, targeting both Windows and Linux machines. The Windows version of the malware was first reported on by <a href="https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/" target="”_blank”" rel="noopener">Brian Krebs</a> and <a href="https://www.shadowserver.org/news/shadowserver-special-report-exchange-scanning-5/" target="”_blank”" rel="noopener">The Shadowserver Foundation</a>&nbsp;in attacks against Microsoft Exchange servers. In addition to this version, we have identified a newer Windows variant and a variant targeting Linux environments. As of this writing, the Linux version is undetected by all Antivirus engines on VirusTotal.

We assess that the Linux version is used to target Linux servers in an adjacent&nbsp;campaign to the one reported by The Shadowserver Foundation. The malware allows the attacker to control the compromised machine remotely. To protect themself from being taken over by others, the attacker’s commands are signed by a private key that only the attacker has access to. The malware does not execute commands that are not signed by the correct key, suggesting that the malware has been developed&nbsp;by a sophisticated programmer.
<h2 style="color: #627d98; font-size: 28px;">Intro</h2>
On March 28th, Brian Krebs published a <a href="https://krebsonsecurity.com/2021/03/no-i-did-not-hack-your-ms-exchange-server/" target="”_blank”" rel="noopener">blog post</a>&nbsp;about attacks against Microsoft Exchange servers. In one of those attacks, a webshell called “<strong>Babydraco</strong>” was deployed. The webshell was used to deploy a new malware. The binary had the filename “<strong>krebsonsecurity.exe</strong>” and used a Command and Control (C2) server located at “<strong>brian[.]krebsonsecurity[.]top</strong>”. This malware turns out to be a <a href="www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/">remote access trojan</a> (RAT) that has been written to target both Windows and Linux machines. Based on strings found in the malware, we have named it HabitsRAT.



While the Windows version of the RAT has been documented being installed on compromised Microsoft Exchange servers, it is not known what type of servers the Linux version is used against. Still, in the last couple of months, numerous remote code execution (RCE) vulnerabilities have been disclosed in hardware and services running on top of Linux. About a month ago, CISA released <a href="https:=" target="”_blank”" rel="noopener">an advisory</a>&nbsp;urging users of F5 BIG-IP to apply patches to address RCE vulnerabilities.
<h2 style="color: #627d98; font-size: 28px;">Technical Analysis</h2>
The HabitsRAT is a simple&nbsp;backdoor that allows the malware operator to execute arbitrary code on the infected machine. While the backdoor is simple in design, the malware has functionality making the attack more complex than what is normally seen. The malware is written in Go and targets at least both Windows and Linux machines.&nbsp;The structure for the Windows version of the malware, <a href="http://go-re.tk/redress/" target="”_blank”" rel="noopener">generated by redress</a>, is shown in the code snippet below. Most of the code is shared between the Windows version and the Linux version. The operating system-specific code has been placed in the files “<strong>commandplatform_windows.go</strong>”, “<strong>keyplatform_windows.go</strong>” and “<strong>persistencehandler_windows.go</strong>”. The rest of the files are shared with the Linux version.


<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Package main: C:/Users/user/habits/habits-client</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: commandhandler.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;RunSignedCommand Lines: 17 to 35 (18)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: commandplatform_windows.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;RunCommand Lines: 8 to 13 (5)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: keyhandler.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetOrGenerateKey Lines: 13 to 23 (10)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GenerateKey Lines: 23 to 42 (19)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetKeyStore Lines: 42 to 50 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;SetKey Lines: 50 to 68 (18)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetKey Lines: 68 to 77 (9)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: keyplatform_windows.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetRootKeyStore Lines: 11 to 19 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetUserKeyStore Lines: 19 to 27 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;IsRoot Lines: 27 to 49 (22)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: main.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;main Lines: 17 to 34 (17)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: persistencehandler.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;InstallPersistence Lines: 9 to 17 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;CopyBinary Lines: 17 to 22 (5)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: persistencehandler_windows.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;CheckPersistence Lines: 11 to 21 (10)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetBinStoreRoot Lines: 21 to 29 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetBinStoreUser Lines: 29 to 37 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp; InstallPersistRoot Lines: 37 to 98 (61)</span></p>


The Linux source code structure is shown in the code snippet below. The Linux specific code has been placed in the files “<strong>commandplatform_linux.go</strong>”, “<strong>keyplatform_linux.go</strong>” and “<strong>persistencehandler_systemd_linux.go</strong>”.
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Package main: C:/Users/user/habits/habits-client</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: commandhandler.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;RunSignedCommand Lines: 17 to 35 (18)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: commandplatform_linux.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;RunCommand Lines: 8 to 13 (5)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: keyhandler.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetOrGenerateKey Lines: 13 to 23 (10)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GenerateKey Lines: 23 to 46 (23)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetKeyStore Lines: 46 to 54 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;SetKey Lines: 54 to 72 (18)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetKey Lines: 72 to 84 (12)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;IsRootAsString Lines: 84 to 86 (2)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: keyplatform_linux.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetRootKeyStore Lines: 9 to 16 (7)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;GetUserKeyStore Lines: 16 to 17 (1)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: main.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;main Lines: 17 to 34 (17)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: persistencehandler.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;InstallPersistence Lines: 9 to 17 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;CopyBinary Lines: 17 to 20 (3)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">File: persistencehandler_systemd_linux.go&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;Systemd_CheckPersistence Lines: 11 to 25 (14)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;Systemd_GetBinStoreUser Lines: 25 to 33 (8)&nbsp;&nbsp;&nbsp;&nbsp;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp; Systemd_InstallPersistRoot Lines: 33 to 64 (31)</span></p>

<h2 style="color: #627d98; font-size: 24px;">Installation</h2>
When the binary is run, it installs itself into a folder. The Windows version’s location is “<strong>%SystemDrive%WindowsDefenderMsMpEng.exe</strong>” while the Linux version is “<strong>$HOME/.config/polkitd/polkitd</strong>”. This will result in the malware being installed under “<strong>/root</strong>” if it’s being run with root privileges.



After the malware has installed itself, it checks if the persistence method has been set up. If it hasn’t, it goes ahead and sets it up. On Linux, it uses a “systemd” unit file. The malware checks if it’s already configured by executing the command “<strong>systemctl status polkitd</strong>”, as shown in Figure 1.

<center style="color: #627d98;"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/pasted-image-0-1.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/pasted-image-0-1.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/pasted-image-0-1.png"></noscript>

<em>Figure 1: Linux version of the malware checks if persistence has been configured already.</em>

</center>

The systemd unit file is created at “<strong>/etc/systemd/system/polkitd.service</strong>” and its content is shown in the code snippet below.
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">[Unit]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Description=Authorization Manager</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">After=network.target</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">[Service]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">GuessMainPID=no</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">ExecStart=&#8221;/path/to/binary&#8221;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Restart=always</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">[Install]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">WantedBy=multi-user.target</span></p>


The Windows version of HabitsRAT uses scheduled tasks for persistence. First, it writes the scheduled task “<strong>xml</strong>” to a file located at “<strong>%TEMP%krebsonsecurity.xml</strong>”. The content of the file is shown in the snippet below. The task is added by executing the shell command: “<strong>sCHtAsks.exe /create /xml %TEMP%krebsonsecurity.xml /tn WindowsDefenderScan</strong>”
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&lt;?xml version=”1.0″ encoding=”UTF-16″?&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&lt;Task version=”1.2″</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;RegistrationInfo&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Date&gt;2020-12-18T09:56:46.3915265&lt;/Date&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Author&gt;Microsoft Corporation&lt;/Author&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;URI&gt;\\Microsoft\\MicrosoftUpdater&lt;/URI&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;/RegistrationInfo&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;Triggers&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;BootTrigger&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Enabled&gt;true&lt;/Enabled&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Delay&gt;PT1M&lt;/Delay&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/BootTrigger&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;/Triggers&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;Principals&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Principal id=”Author”&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;UserId&gt;S-1-5-18&lt;/UserId&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;RunLevel&gt;HighestAvailable&lt;/RunLevel&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/Principal&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;/Principals&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;Settings&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;IdleSettings&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/IdleSettings&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Enabled&gt;true&lt;/Enabled&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Hidden&gt;false&lt;/Hidden&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Priority&gt;7&lt;/Priority&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;/Settings&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;Actions Context=”Author”&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Exec&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Command&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;path\to\binary</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/Command&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/Exec&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp; &lt;/Actions&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&lt;/Task&gt;</span></p>

<h2 style="color: #627d98; font-size: 24px;">Command and Control Communication</h2>
The RAT uses public-key cryptography to both encrypt and authenticate the commands from the C2 server. The malware generates a public-private key pair using an open-source library provided by Proton Mail. Figure 2 shows the call to the <a href="https://pkg.go.dev/github.com/ProtonMail/gopenpgp/v2@v2.1.7/helper#GenerateKey" target="”_blank”" rel="noopener">GenerateKey</a>&nbsp;function and its arguments. The malware uses the machine’s hostname as the name and an email address of “<strong>a@a.a</strong>”. No password is provided and it’s requesting a 2048-bit RSA key to be used.



The key is stored and written to disk. The Linux version of HabitsRAT writes to “<strong>$HOME/.config/.accounts-daemon/accounts-daemon.login.conf</strong>” if it is running as a normal user or to “<strong>/usr/share/accounts-daemon/accounts-daemon.so</strong>”. The Windows version uses “<strong>%SystemDrive%WindowsDefenderMsMpEng.dll</strong>” or “<strong>%APPDATA%Windows NTDefenderMsMpEng.dll</strong>” instead.

<center style="color: #627d98;"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/pasted-image-0-2.png" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/pasted-image-0-2.png?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/pasted-image-0-2.png"></noscript>

<em>Figure 2: Generation of public-private key pair using the open-source library from Proton Mail.</em>

</center>

HabitsRAT sends a “check-in” <em>POST</em>&nbsp;request to the C2 server to see if it should execute a command. As part of the request, it sends some data about the infected machine. The form data of the request is shown below. The data includes the “<strong>no_replay</strong>” field that holds the sha256 hash of some random data. This acts like a nonce to prevent executing the same request multiple times. The request also includes the public key for the malware instance. This is to allow the C2 server to encrypt the commands to it. It also has a version value that is hardcoded to 11.
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">no_replay: [sha256 hash of random data]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">public_key: public key in ascii armour</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">hostname: [machine hostname]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">goos: [linux or window]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">goarch: amd64</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">shell: [$SHELL expanded]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">root: [true or false]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">version: 11</span></p>


The data is sent to “<strong>https://brian.krebs</strong><strong>o</strong><strong>nsecurity[.]top/checkin</strong>”. If no command is returned, the malware sleeps for 10 seconds and sends the request again. If the C2 responds with data, the malware checks that the threat actor’s key has signed it. A hardcoded public key is included in the binary. Extracted information from the key shows that it was generated in December 2020 and includes a name and a Gmail address.
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">pub &nbsp; rsa3072 2020-12-03 [SC] [expires: 2022-12-03]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">uid &nbsp; &nbsp; &nbsp; [REDACTED] &lt;[REDACTED]@gmail.com&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">sub &nbsp; rsa3072 2020-12-03 [E] [expires: 2022-12-03]</span></p>
If the correct key has signed the response, HabitsRAT uses its private key to decrypt the payload. The data has been serialized to JSON and the malware unmarshals it to the data structure shown below.


<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">type main.CommandList struct {</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;No_replay string</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">&nbsp;&nbsp;&nbsp;&nbsp;Commands []string</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">}</span></p>
The Commands field is passed as arguments to either “<strong>bash -c</strong>” for the Linux version or “<strong>cmd /c</strong>” for the Windows version.
<h2 style="color: #627d98; font-size: 24px;">HabitsRAT Version 12</h2>
A newer Windows version of HabitsRAT has also been found. Much of the functionality is the same as version 11. The main difference is that it’s using a different C2 public key and supports multiple C2 addresses. As can be seen from the snippet below, this key was generated on the 2nd of April.


<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">pub &nbsp; rsa3072 2021-04-02 [SC] [expires: 2023-04-02]</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">uid &nbsp; &nbsp; &nbsp; Brian Krebs &lt;krebsonsecurity@gmail.com&gt;</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">sub &nbsp; rsa3072 2021-04-02 [E] [expires: 2023-04-02]</span></p>


The malware uses four different C2 addresses and picks one out of random. The addresses are as follows, which includes a domain of Brian Krebs’s leaked social security number:


<ul>
 	<li>https://brian-krebs-erectile-dysfunction[.]com</li>
 	<li>https://krebsonfellatio[.]net</li>
 	<li>http://XXX-XX-XXXX.com (Redacted)</li>
 	<li>hxxp://185.193.126.198</li>
</ul>


The addresses are stored at:


<ul>
 	<li>%SystemDrive%WindowsDefenderDefender.dll</li>
 	<li>%APPDATA%Windows NTDefenderDefender.dll</li>
</ul>
<h2 style="color: #627d98; font-size: 28px;">Conclusion</h2>
The HabitsRAT is a multi-operating system malware targeting both Windows and Linux environments. There is a lot of <a href="https://analyze.intezer.com/files/338e41f1a8be56339b039835b06d815a3666c8b0d5725b63be7bf54c8745704a" target="”_blank”" rel="noopener">code reuse</a>&nbsp;between the two variants.&nbsp;It provides the attacker with the capability to execute arbitrary code on the infected machine. To protect its C2 communication, the data is encrypted and signed using PGP. Ensure internet facing servers are&nbsp;patched to prevent being infected by HabitsRAT. Indicators of Compromise (IoCs) below can be used to detect if a server has been compromised.

<a href="https://www.intezer.com/resource/year-of-the-gopher-2020-go-malware-round-up/">Go malware</a>&nbsp;has been hard to detect by Antivirus products so it’s likely this trend will continue. We have seen threat actors pivot and target different operating systems with the same codebase for the malware, resulting in low or undetected malware samples, especially for Linux—which has a large presence&nbsp;in the cloud. Since the malware is derived from the same codebase, detection based on code reuse has proven to be very effective.



Runtime protection with <a href="http://www.intezer.com/intezer-protect">Intezer Protect</a>&nbsp;gives you immediate visibility over all code running in your systems and alerts you whenever unauthorized or malicious code is executed. Intezer Protect users can detect and mitigate threats like HabitsRAT on their Linux systems. Protect 10 hosts <a href="https://protect.intezer.com/signup" target="”_blank”" rel="noopener">for free</a> with our community edition.

<center style="color: #627d98;"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/HabitsRat.gif" data-lazy-src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/HabitsRat.gif?is-pending-load=1" srcset="" class=" jetpack-lazy-image"><noscript><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/04/HabitsRat.gif"></noscript>

<em>Figure 3: HabitsRAT detection in Intezer Protect.</em>

</center>
<h2 style="color: #627d98; font-size: 28px;">IoCs</h2>
<h2 style="color: #627d98; font-size: 24px;">Hashes</h2>
<h2 style="color: #627d98; font-size: 20px;">Windows version of HabitsRAT</h2>

<ul>
 	<li>29ebf9771e52cde90776eeccd89aaf4c19577ef136258daef1a17c767ce88c9d</li>
 	<li>37a16e79e5be132d7e6c2e1ee482d80d93ad942af7110a4bc3a05f0b575236b0</li>
 	<li>5f7d898ade3162bfb0c8d3006c42e934ff81fab3b4ad3b51c13441fd63e438cb</li>
 	<li>9e840be4b4ab358bc3405e2c688f3ab1a9d286bd4fb9edb4468dc688962b4893</li>
 	<li>f556c9b4e5bb463be84dead45a9aedcf8bec41c1c2b503ea52719357943750e7</li>
</ul>

<h2 style="color: #627d98; font-size: 20px;">Linux version of HabitsRAT</h2>

<ul>
 	<li>338e41f1a8be56339b039835b06d815a3666c8b0d5725b63be7bf54c8745704a</li>
</ul>

<h2 style="color: #627d98; font-size: 24px;">File paths</h2>

<ul>
 	<li>%SystemDrive%WindowsDefenderMsMpEng.exe</li>
 	<li>$HOME/.config/polkitd/polkitd</li>
 	<li>/etc/systemd/system/polkitd.service</li>
 	<li>%TEMP%krebsonsecurity.xml</li>
 	<li>$HOME/.config/.accounts-daemon/accounts-daemon.login.conf</li>
 	<li>/usr/share/accounts-daemon/accounts-daemon.so</li>
 	<li>%SystemDrive%WindowsDefenderMsMpEng.dll</li>
 	<li>%APPDATA%Windows NTDefenderMsMpEng.dll</li>
 	<li>%SystemDrive%WindowsDefenderDefender.dll</li>
 	<li>%APPDATA%Windows NTDefenderDefender.dll</li>
</ul>

<h2 style="color: #627d98; font-size: 24px;">Network indicators</h2>

<ul>
 	<li>brian[.]krebsonsecurity[.]top</li>
 	<li>brian-krebs-erectile-dysfunction[.]com</li>
 	<li>krebsonfellatio[.]net</li>
 	<li>185.193.126.198</li>
</ul>

<h2 style="color: #627d98; font-size: 24px;">C2 public keys</h2>
<h2 style="color: #627d98; font-size: 20px;">Version 11</h2>


&#8212;&#8211;BEGIN PGP PUBLIC KEY BLOCK&#8212;&#8211;


<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">mQGNBF/I9bUBDACtHQlddPduY2DXMrQHxsh+jCP2ojeMi+08VmuC/eCG3+x0815p</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">ymssBejVcCckahu0EIJZIl5WaRY+nOJKF9VOdLoegpVmqPmX3GE0FJBR/cGGLSqQ</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">bofuDbWBIwQPVwHT+QriDpAK9M80H5f6FPm2HqcXJV2fI7FJ5pLWSTMRGhnTjt5D</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">aSiZqbXhYuq1W3S4zWSsh0TZPn0a4J44N/MwrlrPtr+Q+p31diEHPhQVQZ7a6QKD</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">ysM3SAx5hSUueli6nawRt6UkOhTbeL1SaGA1dv3PHliTLvOt+OZ6oEAU8aKp3Y2S</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">PQ3jKkR7x6jzkRNbu3DoXz70Te97f5ZS0qS6WFWSnpTXWC8JN0NG0cG3tDZ9ClyH</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">NhNnMKl040y33BzBzhQmQmHaX7NwwqEB54HIYsfE4fiSrKovxOkBBXcmS8sPhuhH</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Hk6ZiXqEzlB+pIMvtXvNWT3qqhOC/ggmCUpt1YNHnOYoI93A+dlpbRSbmFOkSwL0</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Zvd3RhzddtTIUf8AEQEAAbQnTWF0dCBIYXluaWUgPHBhemVyZnJvbXNpbHZlckBn</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">bWFpbC5jb20+iQHUBBMBCAA+FiEEmgXO4h7loKvki421YmZthezMP4EFAl/I9bUC</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">GwMFCQPCtQsFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQYmZthezMP4Ex/gv9</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">FHhkSKm9u5REhdCF+Ez8jk4LzoLGOaNdA8hcMCVHBWCMeE3yTGHec1P16WAqJhG+</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">LmlfpS7r0QIANeZC2W0rFI2b/lMBFzpzynR2Fi/Gpph4chNlzqlQJWgSvlBPsw0M</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">nnNwpzRfQhbcSdS/j+zFPE01bSkpm93TczcIvXvdFqJQfpU03pHrAFAvA1pmBkEW</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">NOmZ8JgLn+HReJQCeCteUbiBdGVIDPneyENZzRcO3fuXzlg3yysPIFKRBbGAqiCt</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">gtf+RsoyQ19k5vTSjXHK1KYWVvE9dA4levuN8iYKLhPxpBDNGSkY0n5NqECQpkJW</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">oG0dTDzMDtbAAdjhsoFIv4vH3aGr3iuoYv1ax5WxBSRb2h4Zno0Np4emo91p8FS4</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">KQXuNivYO5SXcEiXNRfDbUSN3J51b6v+SZGmdDhQUEWrEQ7MGl8eBT7DH3+ioZtO</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">qtezE/MnDzRIZW+o7yeryF9/aqLCa5oEFKNKgHM6n9Jmh4KAip1oiJArCJUHUQkI</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">uQGNBF/I9bUBDADrDvqlvnPjMQNXCWdlKjBgmiVAcWxRe5NmdIe4d43GdLXEOsWI</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">eTNY1/L5g4ZLXTeTgMo9ugU9bhwviWq6gro2hPXZVmBhHEVEAtICNjFTlHBOUhab</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">U+riCEeNzE3jneqfS/x04eNirM7hAplSOMOtag49TPwjzqnqGr1r/oe8L1BXHcUP</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Cl6EQzk4NSGrNVO8E7Ppm7yeDnK9C0+4LXaMu19np/r43lg1FBk6O4d/q4/S7p+q</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">P/TILTDC0hPSQw+aAjQPKlfWAjZUQ0CcJT1A5x5SIVWqlpL85ltphdJzCmCiTtmm</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">kMIvX86OxZkzhligkJ1r1QM8OL+t9Mzq9mglc6PHUXIISiaVvwI3ZWH1OxI6ate3</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">znV8n3wfAbURDoTmPCMSNziSrvT39zsUCxY7zQoKoeNUBmx8AWW0Sgms2z1oK8ti</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">+JekSBbxLNVElglwDgtSLkgA4dOnfTUtCDstZouxVnenhLD7jUSmhbS+XIkjsOUY</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">+mXshXvqEb1rD5cAEQEAAYkBvAQYAQgAJhYhBJoFzuIe5aCr5IuNtWJmbYXszD+B</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">BQJfyPW1AhsMBQkDwrULAAoJEGJmbYXszD+BbzUMAIviQCxye0jQVnHwT1JjnyjF</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">7JaiJlU2nOQave16DmyHcu0rejJLhJoQXaA28Qgkv+6mOK4fXWyPV+iAcr3AKuTV</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">EVY6EDwwUwGn/RxcIYVt8qSZanj+cd6g9iJR3UMb9//25ggIW618NvW0zODowwNu</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">GDF5ei4cyhvA3NjCCqIvwxO+XRJynp+0lQl0ulOCS+Y+/V3H0+0EhIrJ8x5TvnE9</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">yC8CtagR0S53mNtmbS3A8INV/Gj6M7/7BZ2eVkbZRVEoQkhmr/lvJ/n4QhYcgre9</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">1iboJ75TorVEOH1B0Q/3IACBD/fEnSogjij8Vf/bdb4W/8LHpeV8bbtDzkzMfh7i</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">SxoF8y1kBl/YXrbs4mFcwgQ8KKqKkYkMp9p527LF/gglE54xMMXdp2WG65oh5jZz</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">0vzASRgwAI+K0LuN1+McUJwWtWQlcnQEEDlvbHVe1jKOrdqqf+BRxl2rNDU0P+u+</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">mtrn7vMinEja8k6O2N2RsL0TvLyGD+sAPKUZG7Q/Bg==</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">=gbms</span></p>


&#8212;&#8211;END PGP PUBLIC KEY BLOCK&#8212;&#8211;


<h2 style="color: #627d98; font-size: 20px;">Version 12</h2>


&#8212;&#8211;BEGIN PGP PUBLIC KEY BLOCK&#8212;&#8211;


<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">mQGNBGBm0jYBDAC83QCJbnqPtHUfazjzNEeNmHY2zUeV8tXaKUkFyeIG9QmSSZ4u</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">0Y+uNR3p5CkexQC0C6STIkDE43fYU92N+Olt7jFcYK718vPv6ieGSuuztJqnrOKX</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">9jY/22iRPYFNjcw+LPQzm4CXyD3gugfp3Jm1JO99y5D5PDbP6yVpG6Fm6TmzOXku</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">grLoWBLWBn5Z6BJAB1YYM35vJpjC22eY6uFF6fhAW7K8mZNUKYHGwZOfkK5F+27Y</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">lxiaOHjh0mjfisWWvcvlImd5dd7614Pu5Yl3PfH4p7fUZJsGofj+hyiZHd9luIM1</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">yc9TWSQBSeBKIFM9iU7a4i0vB4rbY355tYBckuCVyt4NNBnDO0/zgVOZkf/qjTm+</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">JUZlxQJ54Gs7aWueo/aWSaqCN/TIqD909coDbw+sUA1CojLsw+ghPJBBzB/sSjzA</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">OCvGOVn+TCr8hV8OBpONXRQFUO4do6VALE/tqBlMMy12Lq/DunM87Mrb9zpJGZyh</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">JkqGP05xdT9omIEAEQEAAbQnQnJpYW4gS3JlYnMgPGtyZWJzb25zZWN1cml0eUBn</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">bWFpbC5jb20+iQHUBBMBCgA+FiEEOQFTY4snpri84X9c/wQVl3dsa2QFAmBm0jYC</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">GwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ/wQVl3dsa2QgEQv+</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Px8Vl1WxzlWWoZsAkmLsXZzPuudAAFWai97g89/D3+D8kxKAiqq2mam9YKx/Cimn</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">B4HwGhE7ildWfVcJUx63t30Vm8rMIg1M63PQJ+CSIIU8cNEsWSOr8RIcfCTcenDZ</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">ZdK761c1xNXypag/oToTdDTOCRlfeLFkw2fgcHVsxJoIH00MtAT1utqo7xl15kGk</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">0jodlv6mDp17E4JBcg2aT4HpzVUIgeDOzCi5b8QPj0X1iDes8DolYu1wHnNaVAXg</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">SNshR5v5VbrFXvKfyx7sRA8lxQn4HkmnOH18drG+gsE0msFoveqf2M5BCzItY2bI</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">wG+GQwUTAwciIh5AehbpKOqrk2m588PI11i0x8bc5z3/I3YZbWhdpyJAmNErE/Et</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">X5nSqVn2lDoooDA9AwE6fRr2oNNxDLE0yREt88cD2EE3/iweQbpeGBSneIFKGdW3</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">b8zQdJi30gAe7kVS3FFnYXqNaHNhKm/WvODzwRNLSAN6Z1KwJZ79Q3uh19vkl6vr</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">uQGNBGBm0jYBDACxBNtcNethMzVIig0BIQbrCJ4wVS01waB3WWe71s9RUbJn/LFd</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">pey/f0NQrMdoUJP75Do91cS6SFI956F7l5AMWAWTDrNkiCQTG8ptegdAJQ81qWAd</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">V0L2YH+8CNYmfmTOqh3L+cOya6yanNMMM1+c1zjQjCLWzOZog7tBm+1891Gwy8nT</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">m1jf+oETqUcVV+ePrGaaNLWOB+U69/q6XOScaV/HeQrYLE6MTsoiFgKNEirrDDzj</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">rd3bjFZzttD8Cuknt7rsOtZC393JHMSu4f2SPy2Wct1r77z2PxBIkKjTJS3Ax2Lf</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">3rZ3Yt08v1Bmjyxq+zXoIUuSwSNnAP7AJyBKaOtZ/BRjT4xYL9uf0LaIC/a840SB</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">B3f9N3YzfYgL6GeRib6vv6OrWRPjs/ld8kaj1/l6m2Ry+VIs/433AWMp6b0nQqnS</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">EMy/72RuSxQogRbgNnwjk6mIBpEyeTQ7mXHslxK5fJVAOPdOGIVAQziQ82BdA9Yw</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">92ha17TJ1nKz/x8AEQEAAYkBvAQYAQoAJhYhBDkBU2OLJ6a4vOF/XP8EFZd3bGtk</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">BQJgZtI2AhsMBQkDwmcAAAoJEP8EFZd3bGtkCZAL/ioNDjl54jiVARfIdqSZPS77</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">tkkB+dGSuJgeZ+60/1gDpGXaWEyx73Mfbp+DT80k2JQ86Cls9S5xuy95gECMo/JI</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Jxc5gPdXEH+II+wmfVbQerf1cPmjlSliaRDczJKdO5R14i7IEnD56c+MYDqBvTvH</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">NAyjFqPrVXBUcqiuDva8PvUN+dcLGBYwGemlNHCt0L7kQ6TPjldjqSjyeUragJYO</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">Ak4lz+E4cl+V5xKWjFw81S2+sHVLUNmR4KaY5iyfSBSDgNDFW5xQrnClJBg0+4cv</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">QqDJRd4JJOYjBp/dLjmGeXmxuVyshGePUBYrOCsm1GTf3Razr+lgpn4OzW78MRVv</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">JFfcpGhafyTvZQrV7qa7Na8fjSLr+drbDDxm3WP2Tz9Un0tuDvayLhTU/AnWY2MT</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">v+LlwbUDmdrZx+VwMCj4ZwtYkVSqHUd1yfZ5s6I+yPcN6700Kw0dea628GEC+g9V</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">QE+GLOcciRHTBgzaL16trl40wZQ8iMpgnn/FEz+grw==</span></p>
<p style="font-family: Roboto Mono; font-size: 17px; line-height: 0.8;"><span style="color: rgb(0, 0, 0);">=6v1j</span></p>


&#8212;&#8211;END PGP PUBLIC KEY BLOCK&#8212;&#8211;

<div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/12/headshot-scaled-e1607466945157-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Joakim Kennedy</strong><div class="share-author"><a href="https://twitter.com/joakimkennedy" target="_blank" class="twitter-link"><i class="fa fa-twitter" aria-hidden="true"></i></a></div><p>Dr. Joakim Kennedy is a Security Researcher analyzing malware and tracking threat actors on a daily basis. For the last few years, Joakim has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/cloud-security/" rel="tag">Cloud Security</a> <a href="https://www.intezer.com/tag/code-reuse/" rel="tag">code reuse</a> <a href="https://www.intezer.com/tag/golang/" rel="tag">Golang</a> <a href="https://www.intezer.com/tag/habitsrat/" rel="tag">HabitsRAT</a> <a href="https://www.intezer.com/tag/linux-threats/" rel="tag">Linux threats</a> <a href="https://www.intezer.com/tag/malware-analysis/" rel="tag">Malware Analysis</a> <a href="https://www.intezer.com/tag/microsoft-exchange-server/" rel="tag">Microsoft Exchange Server</a> <a href="https://www.intezer.com/tag/threat-detection/" rel="tag">Threat Detection</a> <a href="https://www.intezer.com/tag/windows-threats/" rel="tag">Windows threats</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/cloud-security/how-to-secure-cloud-non-native-workloads/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/cloud-security/how-to-secure-cloud-non-native-workloads/" rel="prev">How to Secure Cloud Non-Native Workloads</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/cloud-security/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/cloud-security/cve-2021-27075-microsoft-azure-vulnerability-allows-privilege-escalation-and-leak-of-data/" rel="next">CVE-2021-27075: Microsoft Azure Vulnerability Allows Privilege Escalation and Leak of Private Data</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recommended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/03/BlogCover_1024x475-1-253x139.png" alt="New Conversation Hijacking Campaign Delivering IcedID" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 7</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/research/conversation-hijacking-campaign-delivering-icedid/">New Conversation Hijacking Campaign Delivering IcedID</a>
                    </h4>
					
						
				                    <span class="post-excerpt">This post describes the technical analysis of a new campaign detected by Intezer&#8217;s research...</span>	
                    <span class="post-date">28 March 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/threat-hunting/intro-to-sigma-rules/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/03/BlogCover-01-253x139.png" alt="SOC Level Up: Introduction to Sigma Rules" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 8</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/threat-hunting/intro-to-sigma-rules/">SOC Level Up: Introduction to Sigma Rules</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Sigma rules are catching on more and more for SOC teams, as a way...</span>	
                    <span class="post-date">22 March 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/03/detection-engineering-and-hunting-with-Intezer-253x139.png" alt="Scale Incident Response With Detection Engineering: Detect &#038; Hunt with Intezer" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 5</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/">Scale Incident Response With Detection Engineering: Detect &#038; Hunt with Intezer</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Adversaries are highly motivated, constantly expanding and improving their tools and techniques. On the...</span>	
                    <span class="post-date">15 March 2022</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');
	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
 
});

		
		 var blogbtn = $('div.blog-side-subscribe').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
//$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
	//$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" width="95" height="24" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
</ul>                    </div>
					
	
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2022 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>
                </div> 
						
            </div>       
        </div>

        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 140;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
		nav.css({ top: toppopheight });
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   		<script>window.addEventListener('load', function() {
				document.querySelectorAll('link').forEach(function(e) {'not all' === e.media && e.dataset.media && (e.media=e.dataset.media,delete e.dataset.media)});
				var e = document.getElementById('jetpack-boost-critical-css');
				e && (e.media = 'not all');
			});</script>
		<link rel='stylesheet' id='elementor-frontend-legacy-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-legacy.min.css?ver=3.6.1' media='all' />
<link rel='stylesheet' id='elementor-frontend-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-lite.min.css?ver=1648399843' media='all' />
<link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  wpacu-elementor-post-16929-href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1648399843' media='all' /><script>
function wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var) {
    if (wpacu_elementor_post_16929_match_media_var.matches) { 
        var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
        document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
    }
}
try { var wpacu_elementor_post_16929_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var); wpacu_elementor_post_16929_match_media_var.addListener(wpacu_elementor_post_16929_match_media); }
catch (wpacuError) {
	var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
    document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<link rel='stylesheet' id='elementor-post-8921-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-8921.css?ver=1648399844' media='all' />
<link rel='stylesheet' id='elementor-pro-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-pro-frontend-lite.min.css?ver=1648399844' media='all' />
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.2/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.2/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6' id='contact-form-7-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.5.1' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.7.7"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress' async defer id='hs-script-loader'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=23effe8e6ba9824e0c6debbf4d3ef488' id='tether_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=23effe8e6ba9824e0c6debbf4d3ef488' id='bootstrap_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=23effe8e6ba9824e0c6debbf4d3ef488' id='intezer-main-scripts-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.2/wp-includes/js/dist/hooks.min.js' id='wp-hooks-js'></script>
<script   type='text/javascript' id='wpdreams-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.detect_ajax = 0; window.ASL.scrollbar = true; window.ASL.js_retain_popstate = 0; window.ASL.version = 4750; window.ASL.min_script_src = ["https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/jquery.ajaxsearchlite.min.js"]; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/jquery.ajaxsearchlite.min.js?ver=4.9.5' id='wpdreams-ajaxsearchlite-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/intersection-observer.js?minify=false&#038;ver=d9298cd9df65ad92eff12a3a90a1a5b8' id='jetpack-lazy-images-polyfill-intersectionobserver-js'></script>
<script type='text/javascript' id='jetpack-lazy-images-js-extra'>
/* <![CDATA[ */
var jetpackLazyImagesL10n = {"loading_warning":"Images are still loading. Please cancel your print and try again."};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/jetpack_vendor/automattic/jetpack-lazy-images/dist/lazy-images.js?minify=false&#038;ver=a902a338e584591be6603d4879c43367' id='jetpack-lazy-images-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.1.2' id='wpcf7cf-scripts-js'></script>
<script   type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.6' id='wpcf7-recaptcha-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.6.4' id='elementor-pro-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.6.1' id='elementor-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.6.1' id='elementor-frontend-modules-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.2/wp-includes/js/dist/i18n.min.js' id='wp-i18n-js'></script>
<script   type='text/javascript' id='wp-i18n-js-after'>
wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
</script>
<script   type='text/javascript' id='elementor-pro-frontend-js-translations'>
( function( domain, translations ) {
	var localeData = translations.locale_data[ domain ] || translations.locale_data.messages;
	localeData[""].domain = domain;
	wp.i18n.setLocaleData( localeData, domain );
} )( "elementor-pro", { "locale_data": { "messages": { "": {} } } } );
</script>
<script   type='text/javascript' id='elementor-pro-frontend-js-before'>
var ElementorProFrontendConfig = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","nonce":"236223eb6a","urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/assets\/","rest":"https:\/\/www.intezer.com\/wp-json\/"},"shareButtonsNetworks":{"facebook":{"title":"Facebook","has_counter":true},"twitter":{"title":"Twitter"},"linkedin":{"title":"LinkedIn","has_counter":true},"pinterest":{"title":"Pinterest","has_counter":true},"reddit":{"title":"Reddit","has_counter":true},"vk":{"title":"VK","has_counter":true},"odnoklassniki":{"title":"OK","has_counter":true},"tumblr":{"title":"Tumblr"},"digg":{"title":"Digg"},"skype":{"title":"Skype"},"stumbleupon":{"title":"StumbleUpon","has_counter":true},"mix":{"title":"Mix"},"telegram":{"title":"Telegram"},"pocket":{"title":"Pocket","has_counter":true},"xing":{"title":"XING","has_counter":true},"whatsapp":{"title":"WhatsApp"},"email":{"title":"Email"},"print":{"title":"Print"}},"facebook_sdk":{"lang":"en_US","app_id":""},"lottie":{"defaultAnimationUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/modules\/lottie\/assets\/animations\/default.json"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.6.4' id='elementor-pro-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/5.9.2/wp-includes/js/jquery/ui/core.min.js' id='jquery-ui-core-js'></script>
<script   type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1140,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1139,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.6.1","is_static":false,"experimentalFeatures":{"e_optimized_assets_loading":true,"e_optimized_css_loading":true,"e_font_icon_svg":true,"e_import_export":true,"e_hidden_wordpress_widgets":true,"theme_builder_v2":true,"landing-pages":true,"elements-color-picker":true,"favorite-widgets":true,"admin-top-bar":true,"page-transitions":true,"form-submissions":true,"e_scroll_snap":true},"urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor\/assets\/"},"settings":{"page":[],"editorPreferences":[]},"kit":{"viewport_tablet":1139,"active_breakpoints":["viewport_mobile","viewport_tablet"],"lightbox_enable_fullscreen":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":18164,"title":"HabitsRAT%20Used%20to%20Target%20Linux%20and%20Windows%20Servers%20-%20Intezer","excerpt":"","featuredImage":"https:\/\/www.intezer.com\/wp-content\/uploads\/2021\/04\/BlogPostImage_1024x475_02-1024x475.png"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.6.1' id='elementor-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js?ver=3.6.4' id='pro-elements-handlers-js'></script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202213.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:10.8-a.9.2',blog:'186808338',post:'18164',tz:'-4',srv:'www.intezer.com'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '18164' ]);
</script>
<noscript><link rel="stylesheet" href="https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=10.8-a.9.2" media="all" /></noscript>
<noscript><link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1648399843' media='all' /></noscript>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">New Detect & Hunt. Get better detection rules, faster</span><span class="mobile-title">Get better detection rules, faster</span>&nbsp;<a class="top-bar-link" href="https://www.intezer.com/blog/threat-hunting/scale-incident-response-detection-engineering/">Learn more</a></div></div>        
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>

<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>

<script>
  window.addEventListener('load', function() {

    if (window.location.pathname == '/create-account/created') {
      gtag('event', 'conversion', {
        'send_to': 'AW-725468766/6LItCJ7G_awDEN6M99kC'
      });

    }



  });

</script>

    </body>
</html>
<!--
	generated in 0.747 seconds
	164454 bytes batcached for 300 seconds
-->
